“Why doesn’t this PING work!?!”
Here is a simple 3 router configuration, well at least it is simple on 2 of the 3 routers. R1 and R3 are configured quite traditionally, but R2 is a bit more involved.
Here is the diagram.
Here are the details.
R2 is using a VRF which includes both LAN interfaces. R2 is also acting as a Zone Based Firewall in transparent mode, allowing all ICMP traffic in both directions, as well as SSH from the inside to the outside networks. R2 has a bridged virtual interface in the 10.123.0.0/24 network. All are running OSPF, but pings issued from R2 to the loopbacks of R1 and R3 are failing.
Can you identify why?
Here is the relevant output:
Take a moment, and post your ideas on why the PING from R2 is failing, and thanks for taking the time to assist!
Here is a simple 3 router configuration, well at least it is simple on 2 of the 3 routers. R1 and R3 are configured quite traditionally, but R2 is a bit more involved.
Here is the diagram.
Here are the details.
R2 is using a VRF which includes both LAN interfaces. R2 is also acting as a Zone Based Firewall in transparent mode, allowing all ICMP traffic in both directions, as well as SSH from the inside to the outside networks. R2 has a bridged virtual interface in the 10.123.0.0/24 network. All are running OSPF, but pings issued from R2 to the loopbacks of R1 and R3 are failing.
Can you identify why?
Here is the relevant output:
R1#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
3.3.3.3 1 FULL/DR 00:00:39 10.123.0.3 FastEthernet0/0
10.123.0.2 1 FULL/BDR 00:00:32 10.123.0.2 FastEthernet0/0
R1#show ip route ospf
3.0.0.0/32 is subnetted, 1 subnets
O 3.3.3.3 [110/2] via 10.123.0.3, 00:01:33, FastEthernet0/0
R1#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 60/88/172 ms
R1#ssh -l admin 3.3.3.3
Password: <password>
R3#show ssh
Connection Version Mode Encryption Hmac State Username
0 1.99 IN aes128-cbc hmac-sha1 Session started admin
0 1.99 OUT aes128-cbc hmac-sha1 Session started admin
%No SSHv1 server connections running.
R3#exit
[Connection to 3.3.3.3 closed by foreign host]
R1#Now for R2:R2#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
1.1.1.1 1 FULL/DROTHER 00:00:37 10.123.0.1 BVI1
3.3.3.3 1 FULL/DR 00:00:35 10.123.0.3 BVI1
R2#show ip route ospf
R2#show policy-map type inspect zone-pair
Zone-pair: zp-in-to-out
Service-policy inspect : p-in-to-out
Class-map: c-in-to-out (match-any)
Match: protocol icmp
4 packets, 320 bytes
30 second rate 0 bps
Match: protocol ssh
3 packets, 72 bytes
30 second rate 0 bps
Inspect
Packet inspection statistics [process switch:fast switch]
tcp packets: [4:390]
icmp packets: [0:50]
Session creations since subsystem startup or last reset 8
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [2:1:1]
Last session created 00:02:23
Last statistic reset never
Last session creation rate 0
Maxever session creation rate 3
Last half-open session total 0
Class-map: class-default (match-any)
Match: any
Drop (default action)
0 packets, 0 bytes
Zone-pair: zp-out-to-in
Service-policy inspect : p-out-to-in
Class-map: c-out-to-in (match-all)
Match: protocol icmp
Inspect
Packet inspection statistics [process switch:fast switch]
icmp packets: [0:20]
Session creations since subsystem startup or last reset 2
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [1:1:0]
Last session created 00:25:24
Last statistic reset never
Last session creation rate 0
Maxever session creation rate 1
Last half-open session total 0
Class-map: class-default (match-any)
Match: any
Drop (default action)
4 packets, 96 bytes
R2#ping 3.3.3.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2# show run
version 12.4
hostname R2
!
ip vrf myvrf
!
class-map type inspect match-any c-in-to-out
match protocol icmp
match protocol ssh
class-map type inspect match-all c-out-to-in
match protocol icmp
!
policy-map type inspect p-in-to-out
class type inspect c-in-to-out
inspect
class class-default
policy-map type inspect p-out-to-in
class type inspect c-out-to-in
inspect
class class-default
!
zone security inside
zone security outside
zone-pair security zp-in-to-out source inside destination outside
service-policy type inspect p-in-to-out
zone-pair security zp-out-to-in source outside destination inside
service-policy type inspect p-out-to-in
bridge irb
!
interface FastEthernet0/0
ip vrf forwarding myvrf
no ip address
zone-member security inside
bridge-group 1
!
interface FastEthernet0/1
ip vrf forwarding myvrf
no ip address
zone-member security outside
bridge-group 1
!
interface BVI1
ip vrf forwarding myvrf
ip address 10.123.0.2 255.255.255.0
!
router ospf 1 vrf myvrf
router-id 10.123.0.2
network 0.0.0.0 255.255.255.255 area 0
!
bridge 1 protocol ieee
bridge 1 route ip
endHere is R3:R3#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
1.1.1.1 1 FULL/DROTHER 00:00:32 10.123.0.1 FastEthernet0/1
10.123.0.2 1 FULL/BDR 00:00:31 10.123.0.2 FastEthernet0/1
R3#show ip route ospf
1.0.0.0/32 is subnetted, 1 subnets
O 1.1.1.1 [110/2] via 10.123.0.1, 00:29:36, FastEthernet0/1
R3#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/117/176 ms
R3#Similar configuration scenarios are included in both our RS and SC workbooks at NB.Take a moment, and post your ideas on why the PING from R2 is failing, and thanks for taking the time to assist!
